I was balancing my checkbook this morning when I discovered two charges I didn't recognize. My wife does her fair share of online transacting, so I asked her what they were. She couldn't remember so I did what I normally do: investigate. Most of the time, my research jogs her memory and I can dutifully assign the transaction the appropriate category in Quicken. This time was different.
I went to PayPal and discovered two illicit transactions in euros to RapidShare. On my online banking site, I found a charge from Yahoo Small Business Hosting. Crap! The guy had changed my email address to a Yahoo one (the same one, incidentally, used to register a domain and set up hosting) and I promptly changed my password. I completed the PayPal dispute form.
I went to Yahoo and tried to login for the guy (hoping he had used my compromised password—a guy can dream, y'know). From my attempt to reset his password, I determined that he had my debit card number! I reported the card stolen and I think all of his attack vectors are closed off. I had only used my PayPal password once before with a wholly unrelated email address so I'm not worried about him ruining my online life.
Sandi and I were trying to think of how we got compromised. It seems like a textbook case of phishing, but Sandi is pretty aware of that and her computer has nothing stored in Keychain for that PayPal account. I'm very aware of phishing and I haven't been to PayPal in a very long time. What's particularly confounding is the Yahoo account, which was definitely established with a credit card number and not through PayPal. Very strange, but all is being resolved now.
The moral of this story is to balance your account regularly—I last did it on February 8th. If I had waited longer, there's no telling how much more damage this a-hole could have done. I'm truly surprised at how little he did—maybe he's a slacker—so I guess I lucked out by not being violated by someone with ambition and drive.